How Wireless Intruders Can Bypass NAC Controls

A researcher at this month's SecTor conference will demonstrate the dangers of not employing EAP-TLS wireless security.

Organizations using port-based network access control (NAC) devices to contain wireless intruders may be less secure than they assume.

Unless an organization is using the most secure WPA2-EAP authentication, an attacker with an initial foothold on the enterprise wireless network can bypass the protections enabled by NAC appliances and pivot deeper into the enterprise.

That's according to Gabriel Ryan, security engineer at Gotham Digital Science, who will present a paper on the topic at the upcoming SecTor security conference in Toronto this month.

Ryan's presentation on the "Black Art of Wireless Post-Exploitation" examines the implications of the practice, by many organizations, to use NAC appliances as a way to try and contain attackers who may have breached the wireless network.

Often, companies employ this method to compensate for the relatively weak perimeter security provided by EAP-TTLS and EAP-PEAP authentication mechanisms, says Ryan. Both protocols have long been susceptible to so-called evil twin attacks for harvesting usernames and passwords. But many enterprises still continue to use TTLS and PEAP because the more secure certificate-based, two-way authentication provided by EAP-TLS is much harder to implement.

Rather than using EAP-TLS to try and prevent wireless breaches from happening, many organizations instead rely on NAC appliances to identify and quarantine any devices that might manage to breach their wireless network protections.

The problem with this approach is that it assumes a wireless device that is quarantined in a VLAN is truly isolated and cannot communicate with other devices on the network when in reality it can.

"On a wired network if you violate a rule imposed by the NAC, the NAC will see you and quarantine you," Ryan says. The model works because it banks on the assumption that the physical layer is secure.

"In wireless, you cannot keep two radio receivers from working with each other," Ryan says. "Client isolation is a logical control, not a physical control."

In a wireless network, WPA2-EAP provides the physical layers of protection. If weak forms of WPA2-EAP are used, an attacker can take control of the physical layer via rogue access point attacks and bypass NAC protections, he says.

At SecTor, Ryan will demonstrate two attacks. One of them is a so-called hostile portal attack to steal Active Directory credentials from a WPA2-EAP network, without network access. The other is what Ryan describes as indirect wireless pivots in which rogue wireless access points are used as mechanisms for bypassing port based access control completely.

Ryan's hostile portal attack involves the use of a rogue wireless access point to force a client device that is trying to access an enterprise wireless network to connect with the attacker's device instead so authentication credentials can be obtained. The hostile attack then leverages previously demonstrated techniques to crack the RADIUS passwords needed for the attacker's device to fully associate with the victim client device.

The indirect wireless pivots method leverages the same technique to get an attacker device that is in a quarantined VLAN to communicate with a victim device in a restricted VLAN segment. The pivot involves forcing the victim device to associate with the attacker's network via a rogue access point and then relaying traffic from the victim to an SMB share on the attacker's system in the quarantine VLAN.

Attackers can use the technique to grab the NT LAN Manager hash from the victim device, crack it using previously demonstrated techniques, and eventually associate the victim device to the attacker in the quarantine VLAN segment.

"The takeaway here is that you cannot rely on NAC appliances as a means of compensating for the risk," of not using EAP-TLS, Ryan says. When designing security mechanism for you network take into account the way that the underling physical layer works, he notes. "Security controls that work on a wired network do not work the same on a wireless network."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...

Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...